BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//speaker//Q7NYZE
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-tr26-cfp-YFRZ9U@cfp.troopers.de
DTSTART;TZID=CET:20260625T141500
DTEND;TZID=CET:20260625T151500
DESCRIPTION:Jingle Thief is a financially motivated campaign that operated 
 almost entirely within Microsoft 365 tenants. After credential theft via p
 hishing and smishing\, the threat actors conducted cloud reconnaissance ac
 ross SharePoint and OneDrive\, expanded compromise through internal phishi
 ng\, manipulated mailbox rules\, and established persistence via device re
 gistration and authentication method changes in Entra ID.\n\nThis session 
 analyzes Jingle Thief as a cloud identity intrusion model rather than a tr
 aditional fraud case study. We will examine how native Microsoft 365 and E
 ntra ID functionality was abused to scale compromise\, sustain long-term a
 ccess\, and evade detection. The talk concludes with practical detection a
 nd monitoring considerations across Exchange Online\, SharePoint\, OneDriv
 e\, and Entra ID telemetry.
DTSTAMP:20260510T025858Z
LOCATION:Track 2
SUMMARY:Jingle Thief: Cloud Identity Tradecraft in Microsoft 365 and Entra 
 ID - Stav Setty
URL:https://cfp.troopers.de/tr26-cfp/talk/YFRZ9U/
END:VEVENT
END:VCALENDAR